DDOS ATTACKS – WHAT IS IT ALL ABOUT?

By Kiandra - Security team

24/10/2013

Distributed Denial of Service (DDoS) is nothing new, it has been around since the early days of communications, but as technology has evolved and improved, so has the ability for us to see how popular these types of attacks are.

For those of you who are not aware what a DDoS attack is, it is basically a way of flooding or exhausting the network resource and/or a system to make it unavailable for legitimate users / services / requests. The goal of course is to provide a temporary or extended outage to the target. Click here for a great, albeit long description.

What are the main targets?

Bi-annually the Akamai State of the Internet report comes out which provides a great insight into the DDoS attack landscape.

Depending on the circumstances, and type of attack, it can vary greatly, however websites / web applications are the most popular, followed by Upstream Internet providers, and other Internet facing services such as Microsoft Directory Services, SQL Server and Terminal Services.

Here is the latest data from Akamai:

As a penetration tester I perform a large number of assessment for organisations / government bodies of all sizes. In a lot of engagements, I see simple mistakes such as misconfiguration of networking devices allowing unnecessary services open to the internet (such as the top 7 services above). This provides additional avenues for the organisation to be compromised and / or attacked with DDoS attacks.

If we look at what kinds of web sites / applications are being targeted here is the current stats from Akamai. You can find the details and further information here

You can see above that although America is the most popular, the Asia Pacific region is starting to catch up.

Who are the bad guys?

According to Akamai’s latest report, Indonesia has this year finally surpassed China as the main culprit.

What are the main targets and why?

These days every company can be a target, DDoS is one of the primary threats facing virtually every industry and business that is connected to the internet, not just the high profile organisations. Although figure 3 and 4 highlight Commerce and Enterprise, I tend to see these type of attacks from people such as disgruntled employees, or hactivists – people like Anonymous and other hactivist groups who love to target companies or governments to make a political point or to attack a target who does something that they feel encroaches on their freedoms or freedoms of others. Look at Operation Payback back in 2010 which was a series of attacks carried out by Anonymous in the name of Julian Assange. These attacks targetted companies such as Mastercard and Visa which brought down their websites because they stopped working with or froze donations to Wikileaks. And, of course don’t forget cybercrooks who profit from performing these attacks on behalf of clients using hosted services to perform their dirty work.

We have the other hactivist groups as well, such as the Syrian Electronic Army who claimed responsibility for a number of attacks against large news and media companies to spread propaganda about the Syrian Regime or President Bashar al-Assad.

If we look at the Spamhaus DDoS from March this year, which was flagged as the biggest DDoS attack in history, it was performed only because of the type of work that the company (Spamhaus) does. (More here)

Spamhaus compiles and maintains lists of ISP’s, domains, and email servers that are known spammers so service providers can block huge blocks of malicious emails. Of course as a result, it really gets under the skin of spammers who are trying to make a buck (some scammers make around 20K a month to spread the blue pills throughout the world).

A visualisation of current attacks

Digital Attack Map is a fantastic live data visualisation of DDoS attacks happening around the globe in real-time, built through a collaboration between Google Ideas and Arbor Networks.

So what can we do about it?

Depending on how your website or web application is hosted, a large amount of hosting providers will provide some detection and filtering capabilities to protect your sites, but this should be checked, contact your provider and see what they offer.

Your ISP will also provide some levels of protection, but again they may not, unless you pay some additional fees. Large cloud providers such as Amazon will provide some limited forms of protection as well.

If you are hosting your websites / web applications on–premise or on-site, you want to ensure that you have an Intrusion Prevention System or another gateway filtering appliance / platform that is providing this protection. In a lot of engagements I have seen firewalls / appliances with this capability, but they are often not turned on or configured.

Organisations should limit the services exposed to the internet, the more services available, the more attack avenues that can be leveraged from attackers.

Ensure that you are regularly undertaking Penetration Testing of your network(s). I recommend annually at a minimum. Pentesting is the best mitigation technique a company can utilise to ensure that their network is secure from attackers as well as ensuring it is resilient against attacks such as DoS or DDoS.

Kiandra can test for DDoS attacks (link saturation attacks or similar), provide DDoS protection measures enforced on existing devices, and test your internet facing services for attacks from exploit or payload based Denial of Service Conditions.